Skype Halts Password Resets as Massive Security Hole Discovered

A massive security hole has been found in Microsoft's Skype application, where it is possible to gain access to a user's account by knowing nothing more than their email address.

It is then possible to gain access to the target's account, change their password and associated email address, and lock them out for good, as any password reset requests by them will be sent to the new email address, not theirs.

UPDATE: Skype has since shut down its password reset tool while it investigates the issue. The company told IBTimes UK: "We have had reports of a new security vulnerability issue.

"As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority."

The flaw was posted on a Russian forum two months ago - the hackers apparently informed Skype of the problem before going public - and now the exploit has been reproduced successfully by The Next Web, who has refused to link to the original source, but confirms the hack was still possible until Skype halted password resets.

The Next Web explains: "When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email.

"Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

This is a glaringly obvious hole in Skype's security, as anyone who knows your email address - or at least the one you use to log into Skype - can take over your account and lock you out permanently, giving the hacker access to your contacts, conversation logs, and the use of any paid-for plans you have, or credit on your account.